MS12-064 is the only bulletin rated "critical". It fixes two vulnerabilities in Microsoft Word and applies to all versions of Microsoft Office. It addresses a vulnerability that can be exploited via a malicious RTF formatted e-mail through the Outlook Preview pane without having to open the e-mail. Since the development complexity of an attack against this vulnerability is low, we believe this vulnerability will be the first to have an exploit developed and recommend applying the MS12-064 update as quickly as possible.
All other bulletins are rated as important and apply to a wide variety of software ranging from Windows to Sharepoint to SQL Server, and include:
- MS12-069 is a bulletin that applies to Windows 7 and Windows 2008 R2 and addresses a DoS style vulnerability where a specifically malformed Kerberos packet can crash the target machine.
- MS12-066 addresses an XSS vulnerability in Microsoft’s SafeHTML library that is in use in a number of products, including Microsoft Sharepoint and LYNC, Microsoft’s IM client.
- MS12-067 is another instance of a vulnerability introduced by the Oracle Outside-In library. Oracle addressed a number of critical vulnerabilities in that library in its last CPU in June 2012, and now all software vendors that had embedded a version of this vulnerable library need to provide updates to their products. This instance is a non-default, paid add-on to Sharepoint that provides document indexing capabilities. An organization could be exploited if the add-on is installed and if an attacker is able to upload a malicious file into a Sharepoint server.
- MS12-070 fixes an XSS vulnerability in one of the reporting modules of Microsoft SQL Server. An attacker could use it to gain information about the SQL Server installation and would have to convince an SQL server administrator to click on a link that contains the malicious XSS code.
We recommend applying the updates as quickly as possible within your organization’s normal patching cycle.
Besides the seven bulletins, there are several security advisories that are being published. This month, KB2661254 is being switched to automatic download and will start enforcing a minimum of 1024 bit key length for certificates. This was announced three months ago and should not cause any disruption. Key lengths of under 1024 bits are forgeable and certificate authorities have stopped emitting such certificates for several years now. KB2749655 is a new advisory and explains a problem in Microsoft’s code signing infrastructure. During the three months in the summer of 2012, a number of binary files in Microsoft Security Bulletins were signed in a flawed way that will lead to their loss of validity – causing them to stop working in January 2013. To solve the problem, Microsoft will publish new versions of the affected bulletins, and organizations will need to reinstall the affected updates. This month the updated packages are MS12-053, MS12-054, MS12-055 and MS12-058. Microsoft provides more background on this process in their post on the SRD blog.
When planning the roll-out of these patches, don’t forget to include yesterday’s critical Adobe Flash update and to plan for next week’s Oracle Java update, that will contain fixes for a number of critical vulnerabilities that we already know about.